HCSEC-2022-14
**Bulletin ID:** HCSEC-2022-14 **Affected Products / Versions:** Nomad 0.2.0 through 1.3.0; fixed in 1.1.14, 1.2.8, and 1.3.1. **Publication Date:** May 24, 2022 **Summary** Vulnerabilities were identified in the go-getter library that Nomad and Nomad Enterprise (“Nomad”) uses for its [artifacts](https://www.nomadproject.io/docs/job-specification/artifact) such that a specially crafted Nomad jobspec can be used for privilege escalation onto client agent hosts. This combined exposure, CVE-2022-30324, affects Nomad versions 0.2.0 through 1.3.0, and is fixed in the 1.1.14, 1.2.8, and 1.3.1 releases. **Background** Nomad utilizes HashiCorp’s [go-getter](https://github.com/hashicorp/go-getter) library for its [artifact](https://www.nomadproject.io/docs/job-specification/artifact) stanza that can be included in jobs submitted to the cluster. These custom artifacts (files) can be retrieved using various protocols. **Details** Vulnerabilities were discovered externally and internally affecting the [go-getter](https://github.com/hashicorp/go-getter) library ([go-getter security bulletin](https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/); CVE-2022-26945, CVE-2022-30321, CVE-2022-30322, CVE-2022-30323). Nomad uses this library directly for its [artifact](https://www.nomadproject.io/docs/job-specification/artifact) stanza. The vulnerabilities can lead to Nomad operators with the ability to submit specially crafted jobspecs to be able to escalate privileges onto client agent hosts. **Remediation** Customers should upgrade to Nomad or Nomad Enterprise 1.1.14, 1.2.8, 1.3.1, or newer. Please refer to [Upgrading Nomad](https://www.nomadproject.io/docs/upgrade) for general guidance and version-specific upgrade notes. **Acknowledgement** Underlying go-getter issues were identified by external researchers (Joern Schneeweisz of GitLab and Alessio Della Libera of Snyk) and HashiCorp Product Security team members, with specific Nomad exposure identified during internal investigation. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.*
Timeline
- May 24, 2022 CVE Published
References
- https://discuss.hashicorp.com/t/hcsec-2022-14-nomad-impacted-by-go-getter-vulnerabilities/39932 advisory
- https://www.cve.org/CVERecord?id=CVE-2022-30324 advisory
- https://www.cve.org/CVERecord?id=CVE-2022-26945 advisory
- https://www.cve.org/CVERecord?id=CVE-2022-30321 advisory
- https://www.cve.org/CVERecord?id=CVE-2022-30322 advisory
- https://www.cve.org/CVERecord?id=CVE-2022-30323 advisory